The CyberWire Daily Podcast 8.26.16
Ep 172 | 8.26.16

Sorry, kids, it's back-to-school. What you should know, fellow youths, and more.


Dave Bittner: [00:00:03:06] Apple issues an out-of-band patch for three iOS zero-days. Shadow Brokers leaks remain under investigation. Phishlabs and TrapX release anti-ransom tools. Ramnit and Dreambot are after bank accounts, and Dreambot spreads over Tor. NIST has a de-identification standard out for comment. AT&T looks at academic networks as students head back to school. Industry news includes some cyber FUD-enabled short-selling. And Russia isn't feeling the love in cyberspace.

Dave Bittner: [00:00:37:03] Time to take a moment to tell you about our sponsor Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's cyber daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:38:07] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday, August 26th, 2016.

Dave Bittner: [00:01:45:06] Apple has issued an out-of-band patch for three vulnerabilities in iOS. These were discovered and disclosed by the University of Toronto's Citizen Lab and security company Lookout. The vulnerabilities, which are being called "Trident" are associated with an intercept toolkit called "Pegasus," sold by NSO Group. Apple addressed three vulnerabilities in its patch: an information leak in the kernel, a kernel memory corruption leading to jailbreak and a memory corruption in Webkit. Users of iOS devices are of course advised to apply the patches as soon as possible.

Dave Bittner: [00:02:17:21] Citizen Lab began its investigation after receiving a phone from Ahmed Mansoor, dissident and human rights activist from the United Arab Emirates. On August 10th and 11th, Mansoor received SMS messages he suspected were phishbait and he sought help from Citizen Lab. Citizen Lab cooperated with Lookout, the well known mobile security company. They found Pegasus, which Lookout calls "the most sophisticated attack we've seen on any endpoint." The link in the phishing message essentially jailbreaks the phone in one click and installs persistent spyware. Pegasus, Citizen Lab says, collects and exfiltrates calls, messages, and a range of personal information, things like contact lists, calendar entries and passwords.

Dave Bittner: [00:03:00:20] NSO Group describes itself as a vendor of lawful intercept tools. Their customer is unknown but circumstantial evidence points strongly towards the government of the United Arab Emirates. What the customer may have paid for Pegasus is also unknown, but observers think it was a lot. Citizen Lab calls Mansoor "the million dollar dissident." Foreign policy notes that the zero-day vendor Zerodium offered a bounty of one million dollars for an exploitable iOS bug, which communicates some sense of the market.

Dave Bittner: [00:03:30:08] Whatever the market may be, it's likely to fall short of the half billion the Shadow Brokers say they want for a bunch of alleged NSA attack code they've come by through obscure means. As far as we know the bidding on their online auction has remained orders of magnitude below their asking price. The US Intelligence Community continues to investigate as Cisco, Huawei, and Juniper Networks are said to be downplaying the impact of the Shadow Brokers' leaked exploits.

Dave Bittner: [00:03:55:14] There's some good news on the ransomware front. Phishlabs has released a decryptor for the recently discovered Alma Locker ransomware strain. And TrapX has released a product called CryptoTrap, said to be effective at diverting the TeslaCrypt, Locky and 7ev3n families of ransomware away from organizations' more valuable assets. CryptoTrap is being marketed to healthcare organizations.

Dave Bittner: [00:04:18:19] Of course backing up files securely remains the single most important measure one can take for protecting against the effects of ransomware. A bit later we'll hear from Johns Hopkins' Joe Carrigan about the ins and outs of backing up your photos.

Dave Bittner: [00:04:31:09] In other cybercrime news, Zscaler's ThreatLabZ today reported finding a cybersquatting campaign that's delivering the AgentTesla keylogger. Zscaler's Director of Research, Deepen Desai, told the CyberWire that AgentTesla is a criminal tool, not one typically used by state security services. The crooks use the keylogger TypoSquat on legitimate domains. The malicious site's url is crafted to be one character different from that of a legitimate site and hence easy to blunder into through a simple typographical error. The payloads carried by the vector include seven modules: a USB spreader, "melt" functionality that can uninstall the malware from a victim machine, a webcam hack, a screenshot exfiltration capability, a keylogger, a password stealer and an anti-analysis function that can detect sandboxes and virtualization, and that disables a variety of security programs.

Dave Bittner: [00:05:26:14] Two familiar banking Trojans are causing fresh trouble. Ramnit is back and it's said to be afflicting six major British banks. And Dreambot, a variant of the familiar Ursnif or Gozi malware, is also out again in the wild. Proofpoint warns that this time Dreambot is spreading over Tor networks.

Dave Bittner: [00:05:44:18] Protection of personal information, especially in systems that collect a lot of it, remains a difficult challenge. In the US, NIST, the proudly non-regulatory - as they call themselves - National Institute of Standards and Technology, has issued a draft publication on de-identifying personal data in government systems. NIST invites comments on this Special Publication 800-188. The goal of the proposed standard is to find ways of de-identifying personal data so that they may be made safely and innocently available for various public purposes.

Dave Bittner: [00:06:18:01] If you're an Australian kid and you're interested in a more palatable educational experience, than tradition and cliché might lead you to expect in the classroom, well good on you. Westpac, Deloitte and other tech leaders are sponsoring a LifeJourney "Day of STEM" down under on September 5th.

Dave Bittner: [00:06:34:12] In industry news, the cyber security sector has seen speculation about an Optiv IPO. Chinese security firm, Qihoo, has taken itself private. Dragos has raised $1.2 million in a seed fund round, and Blackberry continues to work toward its reinvention as a security company. The Financial Times reports an unusual bit of apparent market moving; the paper says a short selling hedge fund called Muddy Waters has publicly alleged cyber vulnerabilities in a pacemaker manufacturer's products in an apparent attempt to put downward pressure on the manufacturer's stock price.

Dave Bittner: [00:07:09:01] A US Federal Court in Seattle has convicted Roman Seleznev of crimes related to a large scale carding operation. Seleznev is the son of a prominent member of the Russian Duma. He was spirited to US Territory Guam from a vacation in the Maldives back in July of 2014. Russian Authorities grumbled about kidnapping, etc, but the extradition stood and Seleznev now faces a sabbatical somewhere in the Bureau of Prisons.

Dave Bittner: [00:07:36:13] Finally, Russia feels it's more sinned against than sinning in cyberspace. Influential Russians say they're more typically the victim than the perpetrator of cybercrime, and they point accusatory fingers in the general direction of Beijing. Who knows? To be sure there's a lot of cybercrime in Russia, although its source and direction can be tough to assess. The world would welcome clarification perhaps from the Seleznevs.

Dave Bittner: [00:08:05:12] Time for another moment from our sponsor, Recorded Future. RFUN 2016 is coming and Washington DC's got it. Join Recorded Future and other leaders in the threat intelligence space this October 5th and 6th. Get industry insight here from top cyber security and corporate strategy experts as they share their ideas and experiences. Teresa Shay, now of In-Q-Tel, formerly NSA's Chief of SIGINT, Christopher Mascaro, Director of Global Cyber Threat Intelligence at First Dater, John Scott-Railton, Senior Research Fellow at the University of Toronto's Citizen Lab, Elias Ladopoulos, you may know him as Acid Phreak, Founder and CEO at Supermassive Corp, Robert M Lee, Founder and CEO at Dragos Security, and course author for SANS FOR578. And finally Joe Navarro, former FBI agent, body language expert and bestselling author. If you're a threat intelligence enthusiast, register for free now at That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:13:05] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe a friend of mine, she recently lost her phone. This was troubling to her because she had about two years' worth of photos on that phone that she had not backed up. Those photos were gone. There's that old joke about if there's a fire in your house, you know, the first thing you should grab are the photo albums because those are your precious family memories. Well our precious family memories are on our mobile devices now.

Joe Carrigan: [00:09:40:02] That's right, yes, and my wife actually has a very similar situation, she takes a lot of pictures. Just yesterday I bought a new SD card for her to put into her phone that's twice the size of the one she had because she's filled it up with pictures. She takes a lot of pictures. A lot of people do this. I personally don't, it's just not in my nature, but there are ways to prevent what happened to your friend from happening. There are a number of services out there, cloud backup services, there's Dropbox, there's OneDrive from Microsoft and there's a Google product, I think it's called Picasa.

Dave Bittner: [00:10:14:13] There's Google Photos, it's the latest one from Google. I actually use that one.

Joe Carrigan: [00:10:18:12] Okay. What happens is when you take a picture of anything on your phone it is uploaded either across your data connection through your wireless provider, or you can actually set a setting that says I don't want to use my data for this but next time I'm connected to WI-fi go ahead and upload the photos. And then these photos are stored in the cloud for you on these service provider's sites.

Dave Bittner: [00:10:43:11] And of course the security angle is you're gaining the benefit of backing up your photos but on the other hand, now someone else has your photos.

Joe Carrigan: [00:10:51:10] Correct, yes exactly. You know you have to make the decision of what the trade off is and you also need to understand the terms of use.

Dave Bittner: [00:11:00:10] Of course.

Joe Carrigan: [00:11:01:16] You need to read the end user license agreement.

Dave Bittner: [00:11:04:18] Yes because we all do that!

Joe Carrigan: [00:11:05:18] Right, absolutely.

Dave Bittner: [00:11:08:18] Yes, I mean the thing that's impressed me about Google Photos are the search capabilities are absolutely amazing. I have family photos in there, I can say "show me all the photos of people in the snow who are sledding" and they all pop up. It's like magic.

Joe Carrigan: [00:11:28:03] It's amazing. I haven't played with Google Photos but I'm going to have to take a look at that. That sounds like an amazing capability.

Dave Bittner: [00:11:36:18] And the thing too I think is that if you can use one of these services that's effortless, where you don't have to do anything but install the app or make it happen, that's a great way to ensure that these precious memories are actually getting backed up.

Joe Carrigan: [00:11:49:16] Right so it's a good way to protect your photo data.

Dave Bittner: [00:11:52:02] Alright Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:11:54:04] My pleasure.

Dave Bittner: [00:11:57:07] I want to take a break and tell you about an exciting CyberWire event happening next month, the third annual Women in Cyber Security Reception, taking place September 27th at the Columbus Center on the beautiful waterfront in Downtown Baltimore. The women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking and it brings together leaders from the private sector, academia and government from across the region and women at varying points in the career spectrum. The Reception also provides a forum for women seeking cyber security careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connection. This year we're pleased to be partnering with our friends over at the Cyber Security Association of Maryland, CAMI. If your company is interested in supporting this important event we have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is an invitation only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, That's We look forward to hearing from you.

Dave Bittner: [00:13:26:01] Here in the US it's back to school time with kids of all ages grabbing their backpacks, laptops and mobile devices and heading to class. AT&T just released a white paper titled "Helping to Secure Education Networks" which outlines the ways in which schools and colleges are particularly vulnerable to cyber criminals.

Bindu Sundaresan: [00:13:43:04] The hacker community out there knows the value of higher educational data.

Dave Bittner: [00:13:48:04] Bindu Sundaresan is Strategic Security Services Practice Lead with AT&T Security Consulting.

Bindu Sundaresan: [00:13:54:01] So hackers can gain access to information about students, the staff, the alumni, Social Security numbers, financial information, intellectual property, patent information held by universities' research staff so, you know, clearly the type of data that an educational institution houses makes them a truly attractive target for the hacking community. All of this information that they glean, they sell it in the black market to potentially create fake identities, leading to identity theft. So think about this for the future generation - these are our kids whose information is stolen today, 10 years from now when they have to apply for a job and they have to get a car, those are the times that they will find out that their credit history has been manipulated, their identity has been stolen. So you know this information is hot in the marketplace for being able to be used in creating fake identities.

Dave Bittner: [00:14:51:09] Yes, I'd never really considered that part of it, that I suppose a child's identity might be more pure, it doesn't have as much attached to it which may make it valuable. Is that logical?

Bindu Sundaresan: [00:15:04:15] Sure. And we don't keep track of it, right? As an adult, you know, we monitor our credit history but we really don't do that for our children, we don't really look at their personal information being manipulated and we try to keep the innocence of it.

Dave Bittner: [00:15:19:18] Are educational institutions generally under-protected?

Bindu Sundaresan: [00:15:23:16] I would say yes, just because of the nature of the networks that they house, you know, it's an open network, it's about information sharing. Although we are seeing a trend in which educational institutions are making a more conscious choice in terms of security investments. Traditionally, because of the way networks within educational institutions have been architected, it's about being open but at the same time needing to be secure. So are they lagging behind in terms of other industries? I would say yes, but is the growing trend to, you know, make those conscious investments, they are on the right path to be able to invest in this, their growing trend is that they're doing a better job of it.

Dave Bittner: [00:16:03:21] You know I think of my own child who is a high school student and I think of his relationship to the network in his school, and I can't help wondering how much are students part of the problem? You know, is there any sort of adversarial relationship between the students themselves and those who are trying to protect them and protect the school's network?

Bindu Sundaresan: [00:16:22:07] Sure, you know again security is not just a technology problem. At the end of the day it is a human interaction, user related problem. I have a child of my own, most of the time is spent online, you know, who they interact with, how they connect to the network, what is their perception in terms of the big picture, how is it relevant to them? So when we have the cyber security conversations with our kids, we want to make it more realistic for them, - give them examples of how information that is taken from them or what they share online could be used maliciously. Give them that big picture, have that talk with them about cyber safety and talk to them about why we want to install parental controls, why we want to ask them for information on which sites they're on, what are they doing on Snapchat or Instagram for that matter, how all of this information can be weaved together to create a social profile of them by some malicious user.

Dave Bittner: [00:17:24:10] And so what kinds of attacks are most common against educational institutions?

Bindu Sundaresan: [00:17:29:16] So for the larger universities and the larger educational institutions, we've seen the DDoS and the ransomware to be one of the most prevalent types of attacks. We're seeing that, at the end of the day, the exploitation is done so that you get the bandwidth of a larger institution and you're able to use them against the DDoS attack that you want to perform for another organization. It's also about collecting this valuable research information. So we see nation-state actors as part of an organized crime ring going in to see, you know, how they can get access to research data, whether it's nuclear research, you know, whether it is cancer research, all of these patent information that they want to gain from. So DDoS and ransomware would be the top attacks. We're also seeing a growing trend with phishing scams as well as the publication and mobile hack related attacks as well.

Dave Bittner: [00:18:23:15] And then for the enterprises themselves, what kinds of things should they be looking out for?

Bindu Sundaresan: [00:18:28:05] So I think the concept of layered security protection, so the defense in depth approach, back to the basics in terms of making sure that you're securing at each layer, the network layer, the end points, the application layer. As well as have a risk oriented security strategy in place. You cannot protect everything equally so understand where you're collecting the sensitive information, how it's being housed, what are some of the basic steps that you can take to educate your user community. Make sure that security awareness and training is part of that initiative, because ultimately you can invest all the tools and the technologies, but then the end user would be the weakest link, so make sure that you train your users as well.

Dave Bittner: [00:19:10:02] That's Bindu Sundaresan from AT&T Security Consulting. Their new White Paper is "Helping to Secure Education Networks."

Dave Bittner: [00:19:23:04] And that's the CyberWire. To subscribe to our daily podcast or news brief, visit The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jen Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.